Contents:
Earlier this year, Wiz.io cloud security analysts were searching through Amazon Web Services’ Route53 Domain Name Service (DNS) when they noticed all of a sudden that its self-service domain registration system allowed them to create a new hosted zone with the same name as the authentic AWS name server it was utilizing.
Within seconds, they were surprised to see that their bogus name server got deluged with DNS questions from other AWS clients’ networks such as external and internal IP addresses, computer names for finance, human resources, production servers, and company names.
In total, they got traffic from more than 15,000 different AWS users and a million endpoint devices, all after registering a fake AWS name server as ns-852.awsdns-42.net, the same name as a real AWS name server.
Ami Luttwak, co-founder and CTO of Wiz.io declared:
We were trying to figure out how to break DNS and we had no idea what traffic we were getting. In theory, if you register a name server name … it shouldn’t have any impact.
AWS Route53 Domain Name System service allows customers to update their domain name and the name server to which their domains point for DNS queries.
The specialists state that they just created a new hosted zone within ns-852.awsdns-42.net with the same name and directed it to their IP address. Afterward, they got queries from Route53 customers’ devices to their rogue and same-named server.
They were able to employ that traffic in order to collect a trove of data on Fortune 500 companies obtaining information such as the physical locations of offices and workers at some of the enterprises.
We understood then that we were on top of an unbelievable set of intelligence, just by tapping for a few hours into a small portion of the network. I called it a nation-state intelligence capability using a simple domain registration.
Amazon Web Services patched up the hole in February 2021, just after the researchers warned about it back in January, but so far at least two of the providers the researchers contacted regarding the vulnerability have not fixed it in their Domain Name System services.
Shir Tamari, head of Wiz.io’s security research team declared that all they had to do in order to fix the bug in AWS Route53 was to place the real AWS name-server name on a so-called “ignore” list.
The problem was anyone could register the official name servers on the platform, so they put the list of their name servers on an ‘ignore’ list so” attackers can’t register them anymore. It was a very quick and efficient fix.
“O.G.” DNS Encounters DNSaaS
The attack exploits a gray area in the DNS infrastructure: an unintended and unforeseen result of the combination of old-school technology on some Windows machines and today’s cloud DNS service features.
Traditional Domain Name System client software is antiquated and not created for cloud-based enterprise infrastructures, but instead for trusted internal enterprise domains.
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The researchers say that endpoints show private data when they query the DNS server and much of this is an outcome of the complexity of DNS itself.
DNS clients perform non-standard queries, and DNS providers allow customers to enter their own DNS zones in their server,” which creates a risky combination. The clients reveal details via their Dynamic DNS updates that would be fine in an internal DNS infrastructure environment but when operating within a cloud-based DNS service could leak to other customers of that service provider.
The researchers noticed that certain devices utilizing the recently developed version of the Internet Protocol (IP) were likely to be attacked by cybercriminals.
Tamari stated that out of the millions of endpoints that sent them Dynamic DNS data they observed that internal IPv6 endpoints are reachable. Because of this, those who work from home and run on IPv6 risk exposing their devices to the Internet with 6% of IPv6 devices being exposed via HTTP, RDP, and SMB.
We can’t tell whether cybercriminals have used these DNS flaws, but the researchers warn that other DNS providers might be affected as well.